@elnora-ai/linear 1.0.1 → 2.0.0

package/templates/ACC-QTR-review.md

@@ -0,0 +1,77 @@
+# ACC-QTR: Quarterly Access Review
+
+## Quick Reference
+- **SLA:** 30 days
+- **Team:** *the team that owns this workflow in your workspace*
+- **Project:** Quarterly Access Reviews
+
+## Required Labels
+- `Type: research`
+- `Flag: compliance`
+- `Layer: devops`
+
+## Issue Template
+```markdown
+## Quarterly Access Review
+
+**Review Period:** Q[1-4] [YYYY]
+**Review Start Date:** [YYYY-MM-DD]
+**Review Deadline:** [YYYY-MM-DD] (30 days from start)
+**Reviewer:** [Name]
+
+## Scope of Review
+Review all user access to ensure alignment with current job roles and least privilege principle.
+
+## Systems Under Review
+- [ ] Google Workspace (accounts, groups, drive permissions)
+- [ ] GitHub (organization members, repository access, team memberships)
+- [ ] AWS (IAM users, roles, policies)
+- [ ] Linear (workspace members, team access)
+- [ ] Slack (workspace members, channel access)
+- [ ] [Other systems]
+
+## Review Checklist
+
+### Per-System Review
+For each system, verify:
+- [ ] All active accounts belong to current employees/authorized contractors
+- [ ] Access levels match current job responsibilities
+- [ ] No terminated users still have access
+- [ ] Group/team memberships are appropriate
+- [ ] Privileged accounts are justified and documented
+
+### Access Matrix Verification
+| User | System | Current Access | Appropriate? | Action Needed |
+|------|--------|----------------|--------------|---------------|
+| | | | Yes/No | |
+
+## Findings
+
+### Unauthorized Access Discovered
+| User | System | Issue | Corrective Action | Ticket |
+|------|--------|-------|-------------------|--------|
+| | | | | |
+
+### Access Level Adjustments Needed
+| User | System | Current | Should Be | Reason |
+|------|--------|---------|-----------|--------|
+| | | | | |
+
+### Orphaned Accounts
+| Account | System | Last Activity | Action |
+|---------|--------|---------------|--------|
+| | | | |
+
+## Corrective Actions
+[Create linked ACC-REV tickets for any required access removals]
+
+## Sign-off
+- [ ] Review completed by: _________________ Date: _______
+- [ ] Findings reviewed by management: _________________ Date: _______
+- [ ] Corrective actions assigned
+
+## Attestation
+I certify that this access review has been completed thoroughly and all findings have been documented and addressed.
+
+Signature: _________________ Date: _______
+```

package/templates/ACC-REV-revoke.md

@@ -0,0 +1,67 @@
+# ACC-REV: Access Revocation
+
+## Quick Reference
+- **SLA:** 24 hours
+- **Team:** *the team that owns this workflow in your workspace*
+- **Project:** Access Revocation
+
+## Required Labels
+- `Type: bug` (treating as urgent remediation)
+- `Access Revocation` (3-day SLA, but target 24 hours)
+- `Layer: devops`
+
+## Issue Template
+```markdown
+## Access Revocation Request
+
+**Request ID:** ACC-REV-YYYY-XXX
+**Request Date:** [YYYY-MM-DD HH:MM]
+**DEADLINE:** [24 business hours from request]
+
+## URGENT: Complete within 24 business hours
+
+## Employee/Contractor Information
+- **Name:** [Full name]
+- **Role/Title:** [Job title]
+- **Department:** [Department/Team]
+- **Last Working Day:** [YYYY-MM-DD]
+- **Termination Type:** [Voluntary / Involuntary / Contract End]
+
+## Revocation Checklist
+
+### Priority 1: Immediate (within 4 hours)
+- [ ] Google Workspace account suspended
+- [ ] GitHub organization membership removed
+- [ ] AWS IAM access revoked
+- [ ] Slack workspace deactivated
+- [ ] Linear access removed
+- [ ] MFA tokens invalidated
+- [ ] Active sessions terminated
+
+### Priority 2: Same Day
+- [ ] Email forwarding configured (if applicable)
+- [ ] Shared passwords rotated (if any known)
+- [ ] Service account credentials reset (if applicable)
+- [ ] VPN/remote access disabled
+- [ ] API keys/tokens revoked
+
+### Priority 3: Within 24 Hours
+- [ ] Physical access/badge deactivated (if applicable)
+- [ ] Forwarding rules reviewed
+- [ ] Shared drive permissions audited
+- [ ] Distribution list memberships removed
+
+## Data Handover
+- [ ] Manager notified of data handover requirements
+- [ ] Critical data/files transferred to manager
+- [ ] Email archive created (if required for retention)
+
+## Verification
+- [ ] All system access confirmed revoked
+- [ ] Cannot authenticate to any system
+- [ ] Revocation logged in access records
+
+## Sign-off
+- [ ] IT Verification: _________________ Date: _______ Time: _______
+- [ ] HR Confirmation: _________________ Date: _______
+```

package/templates/AI-USE-capability.md

@@ -0,0 +1,111 @@
+# AI-USE: AI Capability Scope (Use-Case Approval)
+
+## Quick Reference
+- **SLA:** 5-10 days
+- **Team:** the team responsible for AI governance in your workspace (typically Operations, Compliance, or Security)
+- **Project:** AI Governance
+- **Scope:** Customer-facing AI capabilities only. Internal AI tooling (IDE assistants, agent-drafted ops emails, internal automations) is out of scope.
+
+## When to use this template
+
+Open an `AI-USE` ticket when any of the following is true for a customer-facing AI capability:
+
+- A new AI capability is being added (new use case).
+- An existing capability is being materially expanded — new data modality, new decision impact, autonomous action, new customer-data type, regulated-adjacent surface area.
+- Foundation-model **family** is being changed for the AI Service (e.g. moving primary inference from one vendor to another). Routine version swaps within the same family do NOT require this template — they ride the normal PR review.
+
+Required by your organization's Responsible AI Policy (see `<your-AI-policy>` reference in this repo's documentation).
+
+## Required Labels
+- `Type: compliance-task`
+- `Template: AI-Use-Case`
+- `Flag: compliance`
+- `Flag: AI-Incident` — only if this scope record is opened in response to an AI incident
+
+## Issue Template
+
+```markdown
+## AI Capability Scope
+
+**Capability ID:** AI-USE-YYYY-XXX
+**Capability Name:** [Short descriptive name]
+**Requested By:** [Name]
+**Date Requested:** [YYYY-MM-DD]
+**Status:** [Proposed / Under Review / Approved / Rejected / Withdrawn]
+
+## 1. Intended Purpose
+
+[What this capability does and the user problem it solves. Write for a customer auditor — concrete, no marketing language.]
+
+## 2. Users
+
+- **Customer-side users:** [Roles, seniority, domain expertise]
+- **Internal users (if any):** [e.g. customer success engineers running the capability on behalf of the customer]
+- **Out-of-scope users:** [Roles or contexts explicitly NOT supported]
+
+## 3. Data Sources
+
+| Data source | Type | Customer Data? | Personal Data? | Notes |
+|-------------|------|----------------|----------------|-------|
+| [Source] | [Prompt / RAG corpus / Live retrieval / Vendor model weights] | [Y/N] | [Y/N] | [Retention, isolation, consent basis] |
+
+## 4. Foundation Models
+
+| Vendor | Model family | Endpoint pattern | ZDR? | Listed in your Model Vendor Register? |
+|--------|--------------|------------------|------|--------------------------------------|
+| | | | | |
+
+## 5. Decision Impact
+
+- **What does the Output inform?** [Customer-facing decision, workflow step, recommendation...]
+- **Who is the human-in-the-loop?** [Role + decision they make before Output is acted on]
+- **What happens if the Output is wrong?** [Realistic worst case in the customer's domain terms]
+- **Is this High-Risk Use under EU AI Act Annex III or your Responsible AI Policy definition?** [Y/N + reasoning]
+
+## 6. Refusal Patterns
+
+[What the system declines. Reference your Acceptable Use Policy categories. Note any new refusal patterns introduced for this capability.]
+
+## 7. Known Limitations
+
+[Domain coverage gaps, hallucination risk areas, model-specific failure modes you've observed, latency characteristics, etc.]
+
+## 8. Reviews
+
+- [ ] AI Governance Owner review
+- [ ] CTO / Engineering lead review
+- [ ] Acceptable Use Policy: capability stays within scope
+- [ ] Data Management Policy: data sources, retention, and tenant isolation align
+- [ ] Third-Party Management Policy: any new vendor recorded in the Model Vendor Register
+- [ ] High-Risk Use risk assessment completed (only if § 5 flagged Y)
+
+## 9. Customer Disclosure
+
+- [ ] Updates required to current Model Card? [Y/N — describe]
+- [ ] Release notes drafted for affected customers? [Y/N — link]
+- [ ] Per-customer playbook updates required? [Y/N — list customers]
+- [ ] AI-generated labelling unchanged? [Y/N — describe any change]
+
+## 10. Approval
+
+| Role | Name | Decision | Date |
+|------|------|----------|------|
+| AI Governance Owner | | | |
+| CTO / Engineering lead | | | |
+
+## 11. Post-Approval Tracking
+
+Link the implementation issue(s) and the corresponding GitHub PR(s):
+
+- Implementation: [ISSUE-XXX]
+- PR(s): [#XXX]
+- Evaluation Suite results summary: [link or paste]
+- Model Card updated: [link to PR or commit]
+```
+
+## Resources
+
+- `<your-AI-policy>`: your Responsible AI Policy
+- Model Vendor Register: your register of approved AI model vendors
+- Acceptable Use Policy: your customer-facing AUP
+- Risk Assessment template (for High-Risk Use): `RSK-ASS-assessment.md`

package/templates/AUD-CAP-corrective.md

@@ -0,0 +1,89 @@
+# AUD-CAP: Corrective Action Plan
+
+## Quick Reference
+- **SLA:** 5-30 days (severity-based)
+- **Team:** *the team that owns this workflow in your workspace*
+- **Project:** Corrective Actions
+
+## Required Labels
+- `Type: bug`
+- `Flag: compliance`
+- `Layer: [affected area]`
+- Severity: Major NC = High, Minor NC = Medium
+
+## Issue Template
+```markdown
+## Corrective Action Plan
+
+**CAP ID:** AUD-CAP-YYYY-XXX
+**Source:** [Internal Audit / External Audit / Incident / Management Review]
+**Source Reference:** [Audit report ID or incident ID]
+**Finding Date:** [YYYY-MM-DD]
+
+## Finding Details
+- **Finding Type:** [Major NC / Minor NC / Opportunity for Improvement]
+- **Control/Area:** [ISO 27001 control reference or ISMS area]
+- **Finding Description:** [Detailed description of the nonconformity]
+- **Evidence:** [What evidence demonstrated the NC]
+
+## Root Cause Analysis
+**Immediate Cause:**
+[What directly caused the NC]
+
+**Root Cause:**
+[Underlying reason - use 5 Whys if needed]
+
+**Contributing Factors:**
+[Other factors that contributed]
+
+## Corrective Action Plan
+
+### Immediate Actions (Containment)
+| Action | Owner | Deadline | Status |
+|--------|-------|----------|--------|
+| | | | |
+
+### Corrective Actions (Fix Root Cause)
+| Action | Owner | Deadline | Status |
+|--------|-------|----------|--------|
+| | | | |
+
+### Preventive Actions (Prevent Recurrence)
+| Action | Owner | Deadline | Status |
+|--------|-------|----------|--------|
+| | | | |
+
+## Resource Requirements
+- **Personnel:** [Time/effort needed]
+- **Budget:** [If applicable]
+- **Tools/Systems:** [If needed]
+
+## Documentation Updates Required
+- [ ] Policy update needed: [Which policy]
+- [ ] Procedure update needed: [Which procedure]
+- [ ] Training update needed: [Which training]
+- [ ] Risk register update needed
+
+## Effectiveness Verification
+**Verification Method:**
+[How will we verify the corrective action was effective?]
+
+**Verification Date:**
+[When will effectiveness be checked]
+
+**Verification Results:**
+[To be completed after verification]
+
+## Approvals
+- [ ] Action plan approved by: _________________ Date: _______
+- [ ] Implementation verified by: _________________ Date: _______
+- [ ] Effectiveness verified by: _________________ Date: _______
+
+## Closure
+- [ ] All actions completed
+- [ ] Effectiveness verified
+- [ ] Documentation updated
+- [ ] Finding closed
+
+Closure Date: _________________ Closed By: _________________
+```

package/templates/AUD-INT-internal.md

@@ -0,0 +1,92 @@
+# AUD-INT: Internal Audit
+
+## Quick Reference
+- **SLA:** 60 days
+- **Team:** *the team that owns this workflow in your workspace*
+- **Project:** Internal Audits
+
+## Required Labels
+- `Type: research`
+- `Flag: compliance`
+- `Layer: [scope-dependent]`
+
+## Issue Template
+```markdown
+## ISMS Internal Audit
+
+**Audit ID:** AUD-INT-YYYY-XXX
+**Audit Period:** [YYYY-MM-DD to YYYY-MM-DD]
+**Audit Type:** [Annual / Ad-hoc / Follow-up]
+
+## Audit Planning
+
+### Scope
+[Define audit scope - which ISMS areas, controls, processes]
+
+### Objectives
+1. [Objective 1]
+2. [Objective 2]
+3. [Objective 3]
+
+### Auditor Information
+- **Lead Auditor:** [Name]
+- **Auditor(s):** [Names]
+- **Independence Verification:** [Confirm auditors not implementing controls being audited]
+
+### Audit Schedule
+| Date | Activity | Area/Control | Interviewee |
+|------|----------|--------------|-------------|
+| | | | |
+
+## Audit Criteria
+- ISO 27001:2022 requirements
+- Statement of Applicability controls
+- Internal policies and procedures
+- Regulatory requirements
+
+## Documents to Review
+- [ ] Information Security Policy
+- [ ] Risk Assessment and Treatment Plan
+- [ ] Statement of Applicability
+- [ ] [Other relevant documents]
+
+## Audit Execution Checklist
+- [ ] Opening meeting conducted
+- [ ] Document review completed
+- [ ] Interviews conducted
+- [ ] Evidence collected
+- [ ] Control testing performed
+- [ ] Closing meeting conducted
+
+## Findings Summary
+
+### Major Nonconformities
+| Finding ID | Control/Area | Description | Evidence |
+|------------|--------------|-------------|----------|
+| | | | |
+
+### Minor Nonconformities
+| Finding ID | Control/Area | Description | Evidence |
+|------------|--------------|-------------|----------|
+| | | | |
+
+### Opportunities for Improvement
+| OFI ID | Area | Recommendation |
+|--------|------|----------------|
+| | | |
+
+### Conforming Controls
+[List controls found to be operating effectively]
+
+## Corrective Action Requirements
+[Create linked AUD-CAP tickets for each NC]
+
+## Report Distribution
+- [ ] Draft report to Information Security Leader
+- [ ] Final report to ISMS Governance Council
+- [ ] Highlights presented at Management Review
+
+## Sign-off
+- [ ] Lead Auditor: _________________ Date: _______
+- [ ] Information Security Leader Review: _________________ Date: _______
+```

package/templates/AUD-MGT-management.md

@@ -0,0 +1,110 @@
+# AUD-MGT: Management Review
+
+## Quick Reference
+- **SLA:** 30 days
+- **Team:** *the team that owns this workflow in your workspace*
+- **Project:** Management Reviews
+
+## Required Labels
+- `Type: research`
+- `Flag: compliance`
+- `Layer: devops`
+
+## Issue Template
+```markdown
+## ISMS Management Review
+
+**Review ID:** AUD-MGT-YYYY-XXX
+**Review Date:** [YYYY-MM-DD]
+**Review Period:** [Period being reviewed]
+**Meeting Type:** [Annual / Quarterly / Ad-hoc]
+
+## Pre-Meeting Preparation
+
+### Required Inputs to Compile
+- [ ] Status of previous management review actions
+- [ ] Changes in external/internal context
+- [ ] Changes in interested parties' needs
+- [ ] ISMS performance metrics
+- [ ] Audit results (internal and external)
+- [ ] Nonconformity and corrective action status
+- [ ] Risk assessment status
+- [ ] Incident summary and trends
+- [ ] Security objectives progress
+- [ ] Feedback from stakeholders
+
+## Attendees (ISMS Governance Council)
+| Name | Role | Present |
+|------|------|---------|
+| | CEO | [ ] |
+| | CTO | [ ] |
+| | | [ ] |
+
+## Agenda
+
+### 1. Previous Review Actions Status
+| Action | Owner | Status | Notes |
+|--------|-------|--------|-------|
+| | | | |
+
+### 2. Context Changes
+**External Changes:**
+[Changes in regulatory, market, technology landscape]
+
+**Internal Changes:**
+[Organizational, process, technology changes]
+
+### 3. Performance Review
+**Security Metrics:**
+| Metric | Target | Actual | Status |
+|--------|--------|--------|--------|
+| | | | |
+
+**Objectives Progress:**
+| Objective | Progress | Status |
+|-----------|----------|--------|
+| | | |
+
+### 4. Audit Results Summary
+- Internal audit findings: [Summary]
+- External audit findings: [Summary]
+- Open nonconformities: [Count and summary]
+
+### 5. Risk Assessment Status
+- Risk register status: [Summary]
+- High risks: [List]
+- Risk treatment plan progress: [Summary]
+
+### 6. Incident Summary
+- Total incidents this period: [Count]
+- Incidents by severity: [Breakdown]
+- Key incident trends: [Summary]
+- Lessons learned implemented: [Summary]
+
+### 7. Resource Requirements
+[Budget, personnel, tool needs]
+
+## Decisions Made
+
+### ISMS Changes Approved
+| Change | Approved | Owner | Deadline |
+|--------|----------|-------|----------|
+| | Yes/No | | |
+
+### Actions Assigned
+| Action | Owner | Deadline | Priority |
+|--------|-------|----------|----------|
+| | | | |
+
+### Resource Approvals
+| Request | Approved | Amount | Notes |
+|---------|----------|--------|-------|
+| | Yes/No | | |
+
+## Sign-off
+All Governance Council members approve these minutes and decisions:
+
+| Name | Signature | Date |
+|------|-----------|------|
+| | | |
+```

package/templates/CHG-MAJ-major.md

@@ -0,0 +1,110 @@
+# CHG-MAJ: ISMS Major Change (Category 3)
+
+## Quick Reference
+- **SLA:** 15-30 days
+- **Team:** *the team that owns this workflow in your workspace*
+- **Project:** Major Changes
+
+## Required Labels
+- `Type: feature` or `Type: improvement`
+- `Flag: compliance`
+- `Flag: security`
+- `Layer: [all affected layers]`
+
+## Issue Template
+```markdown
+## ISMS Major Change Request
+
+**Change ID:** ISMS-YYYY-XXX
+**Category:** 3 - Major Change
+**Requested By:** [Name]
+**Date Requested:** [YYYY-MM-DD]
+**Target Implementation:** [YYYY-MM-DD] (minimum 30 days from request)
+
+## Change Description
+[Comprehensive description - affects ISMS scope/boundaries, security policy intent, organizational structure, introduces new technology, responds to regulatory changes, or post-incident modifications]
+
+## Change Type
+- [ ] ISMS scope or boundary change
+- [ ] Security policy intent change
+- [ ] Organizational structure change
+- [ ] New technology introduction
+- [ ] Regulatory/legal requirement change
+- [ ] Post-incident modification
+- [ ] Other: ___
+
+## Affected Areas
+### Documents
+| Document | Section | Type of Change |
+|----------|---------|----------------|
+| | | |
+
+### Systems
+[List all affected systems]
+
+### Processes
+[List all affected business processes]
+
+### Personnel/Roles
+[List affected roles and responsibilities]
+
+## Business Justification
+[Detailed justification including strategic alignment]
+
+## Comprehensive Risk Assessment
+### Identified Risks
+| Risk | Likelihood | Impact | Risk Level | Mitigation |
+|------|------------|--------|------------|------------|
+| | | | | |
+
+### Risk Treatment Decisions
+[Document risk treatment approach for each identified risk]
+
+## Resource Requirements
+- **Personnel:** [Detailed time/effort breakdown]
+- **Budget:** [Cost estimate with breakdown]
+- **Training:** [Training plan if required]
+- **External Support:** [Consultants/vendors if needed]
+
+## Implementation Plan
+| Phase | Milestone | Actions | Owner | Start | End |
+|-------|-----------|---------|-------|-------|-----|
+| 1 | | | | | |
+| 2 | | | | | |
+
+## Rollback Plan
+[Comprehensive rollback procedure]
+
+## Communication Plan
+| Audience | Message | Channel | Timing |
+|----------|---------|---------|--------|
+| | | | |
+
+## Training Plan
+[If applicable - training requirements and schedule]
+
+## Approvals (Full ISMS Governance Council)
+Management Review Meeting Date: [YYYY-MM-DD]
+
+| Council Member | Role | Signature | Date |
+|----------------|------|-----------|------|
+| | CEO | | |
+| | CTO | | |
+
+## Implementation Tracking
+- [ ] 30-day notice period completed
+- [ ] All approvals obtained
+- [ ] Implementation commenced
+- [ ] Milestone 1 complete
+- [ ] Milestone 2 complete
+- [ ] Full implementation complete
+- [ ] Post-implementation review scheduled
+
+## Verification Checklist
+- [ ] Change implemented per plan
+- [ ] All affected documents updated
+- [ ] Training completed (if required)
+- [ ] Change log updated
+- [ ] Effectiveness review scheduled
+- [ ] Lessons learned documented
+```